As technology continues to be embedded into all walks of life, our homes, businesses, governments and entire country critical infrastructures have become increasingly at risk of being digitally attacked. In the last twelve months alone, 37% of UK companies have reported a data breach incident to the Information Commissioner’s Office (ICO), with 17% recording more than one incident.
As we all know, cyber criminals continue to learn and overcome defence mechanisms, and attacks are increasing in complexity, making it harder for businesses to keep control of their assets. In some cases, cyber criminals are holding organisations to ransom for financial gain as panicked businesses need to get back up and running but, in other cases, cyber criminals’ main ambition is to cause as much disruption as possible, including large scale shutdowns of life-critical services.
Earlier this year, we saw a halt in services for Colonial Pipeline in the US due to a ransomware attack that forced the private company to pay an estimated $5 million in Bitcoin to regain control and continue services. In the same month, Ireland’s Health Service Executive was put under pressure to deliver a ransom fee of $20 million in order to save their patients personal data going public, although even after an agreement was made, 520 records still made their way onto the dark web.
Now in 2021, where many organisations are prepared for the possibility of an attack on their IT infrastructure, cyber criminals have had to work harder to develop new tactics that can evade security systems whilst still gaining financially. ‘Double-extortion’ ransomware attacks are a prime example.
How cryptocurrency wallets can be safeguarded through biometrics
What is double-extortion ransomware?
Double-extortion ransomware is a growing tactic among cyber criminals that allows them to not only demand a ransom for the stolen data, but also use it as a faux pledge to keep it from being released publicly. This means that if the ransom is not paid in the timeframe required, the criminals will publish it for all to see, including possible competitors.
They threaten a public and/or customer “name-and-shame” campaign if you don’t pay up and, according to Emsisoft research, the number of cyber criminals adopting the “name-and-shame” tactic is growing. The research found that out of 100,101 received reports of ransomware attacks on both businesses and public sector bodies, 11.6% of those were by groups that steal and publish data in “name-and-shame”-style attacks.
And it isn’t only rogue actors working with larger dark web organisations that are a threat. There is also a growth in crimeware-as-a-service by nation-state actors, which are increasingly adding to geopolitical tensions. Nation-states are buying tools and services from the dark web, while tools developed by nation-states are also making their way onto the black market. In fact, according to a recently published study, almost two-thirds (65%) of experts believe nation states are making money from cyber crime, while 58% say it is becoming more common for nation states to recruit cyber criminals to conduct cyber attacks. So, how can organisations detect, respond, and recover from this growing threat?
Developing a data recovery plan in the face of disaster
For an attacker to be successful in extorting a ransom, they must first make sure recovering useful data is impossible, otherwise they run the risk of decision makers failing to pay up. So, they disable or destroy backups, making it near on impossible to recover any valuable data. Then, they turn their hands to the available production data.
By developing a dedicated compromised data risk management plan, businesses are able to improve their odds and make recovering cyber compromised data far more likely compared with if they were to use a standardised data recovery process. Ransomware demands have never been higher, and readying an organisation requires rethinking existing data recovery plans.
To address these recurring challenges organisations should consider establishing a compromised data risk management plan based on pre-existing good practices, speaking to key stakeholders around the business to help identify which data needs to be prioritise in a recovery scenario. In order to do this successfully, organisations need to plan for the five most critical steps to recovering damaged data:
- Identify ― Identifying and justifying the organisation’s Vital Data Assets (VDA). This is the data that requires an additional level of protection. It’s the businesses must-have data.
- Protect — Capabilities to improve the odds that you will have current clean data to restore, for example a failsafe copy that is safe from a cyberattack.
- Detect ― Identifying vulnerabilities of weaknesses in your controls that can increase the organisation’s risk of access to its VDA’s.
- Respond — The plans, the processes, the procedures to be followed in the aftermath of a successful data compromising event.
- Recover ―The rehearsals, tests, and exercises that prepare the teams for this eventuality.
The future of data science and risk management
Making it work
Everyone is susceptible to zero-day attacks, where no warning is given to vulnerable organisations to prevent them trying to fix the target flaw. The constantly evolving tactics of cyber criminals mean that the detection and prevention tools that already exist are unable to keep up and alert those who are in danger of losing data. On top of outside threat actors, every organisation is susceptible to internal threats, such as a disgruntled employee with privileged access to the network. In spite of awareness training, human error is still a risk and network access is only one accidental embedded link click away.
Ultimately, it’s up to each organisation to look at the big picture, based on their unique points of view and the perspectives that inform it. With double-extortion ransomware on the rise, businesses are under continued pressure to ensure they keep things running smoothly, whilst increasing public awareness of data collection has made it even more important for organisations to be prepared for such an attack.
The threat of a ransomware attack is significant, but one that is capable of destroying brand reputation and customer trust could be even more business critical. Before a successful double-extortion ransomware attack forces an organisation to take action, they should have briefed the business in its entirety as well as working closely with executive management on which data should be the priority during a recovery mission. Only then can businesses be prepared enough to ensure they have time to act before a ransomware attack takes control.